If you have an iPhone, this matters to you. On March 23, 2026, a sophisticated iPhone hacking toolkit known as DarkSword was leaked publicly on GitHub, meaning a tool once reserved for government intelligence agencies and elite cyber-espionage operations is now freely available to any hacker on the planet. Security experts are calling it one of the most significant iOS security events in years.

The good news: a patch exists. The bad news: hundreds of millions of people haven't installed it yet.

What Is DarkSword?

DarkSword is a full-chain iOS exploit kit - meaning it chains together multiple vulnerabilities to fully compromise an iPhone from initial access all the way to data exfiltration. It was originally developed for and used by state-sponsored hacking groups, with ties to Russian espionage operations targeting Ukrainian government devices, as well as campaigns in Saudi Arabia, Turkey, and Malaysia.

The exploit works through Safari and WebKit. If a target visits a compromised or malicious website, DarkSword can silently break through multiple iOS security layers, no app download required. Once on a device, it can steal:

  • Contacts, call history, and iMessages
  • Encrypted communications and app data
  • GPS location data and photos
  • iOS Keychain contents (Wi-Fi passwords, saved credentials)
  • Access to the camera and microphone

Google's Threat Intelligence Group (GTIG), iVerify, and Lookout jointly investigated DarkSword and confirmed it had been in active use by multiple threat actors since at least November 2025 before the GitHub leak.

Why the GitHub Leak Is a Game-Changer

Before the leak, DarkSword required significant technical expertise and resources to deploy. That changed on March 23rd.

The leaked files are written entirely in HTML and JavaScript, no specialized iOS knowledge required. According to Matthias Frielingsdorf, co-founder of mobile security firm iVerify, the exploits will work "out of the box" and can be copied, hosted on a server, and used to attack vulnerable iPhones in a matter of hours. "I don't think that can be contained anymore," he told TechCrunch. "We need to expect criminals and others to start deploying this."

GitHub removed the original repository after it was flagged, but mirror copies have already spread across multiple platforms, making the code effectively impossible to fully contain.

Am I Vulnerable?

The DarkSword exploit targets iPhones and iPads running iOS 18.4 through 18.7. More precisely, DarkSword works against iOS versions 18.4 through 18.6.2, with Apple addressing those flaws in iOS 18.7.2 and 18.7.3 — meaning users running any iOS version between 18.4 and 18.7.1 remain at risk until they update. Researchers estimate that approximately 14–17% of all active iPhone users, potentially over 220 million devices, fall into this vulnerable range.

Older devices running iOS 15 or 16 may also be at risk from related vulnerabilities. Apple has issued emergency patches across all affected iOS branches.

Here is a quick breakdown by iOS version:

  • iOS 26.x users: Update to iOS 26.4 or later - you are protected
  • iOS 18.x users: Update to iOS 18.7.6 or later - you are protected
  • iOS 16.x users: Update to iOS 16.7.15 - Apple issued an emergency patch
  • iOS 15.x users: Update to iOS 15.8.7 - Apple issued an emergency patch
  • iOS 13 or 14 users: These versions no longer receive updates - consider upgrading your device

If you are not sure which iOS version you are running, go to Settings > General > About on your iPhone.

What You Should Do Right Now

1. Update Your iPhone Immediately

This is the single most effective thing you can do. Go to Settings > General > Software Update and install any available updates right now. Apple spokesperson Sarah O'Rourke confirmed that "devices with updated software were not at risk from these reported attacks."

2. Enable Lockdown Mode (High-Risk Users)

If you are a journalist, executive, attorney, activist, or anyone who may be a targeted individual, enable Lockdown Mode immediately. Apple has confirmed that Lockdown Mode blocks the specific attack vectors used by DarkSword. You can find it at Settings > Privacy & Security > Lockdown Mode.

3. Check If Your Device Was Already Compromised

iVerify is offering its Basic app for free through May 2026, which can detect live DarkSword infections. If you have reason to believe your device may have been compromised, particularly if you visit many websites or clicked on unexpected links in the past few months - it is worth checking.

4. Be Cautious of Unexpected Links

DarkSword is delivered via compromised websites (known as a "watering hole" attack). Avoid clicking on unsolicited links in iMessage, WhatsApp, email, or social media - especially while your device remains unpatched.

The Bigger Picture: A New Era of Mobile Threats

DarkSword is the second major iOS exploit kit to surface publicly in March 2026 alone. The first, known as Coruna, targeted iPhones running iOS 13 through 17.2.1. Together, these two exploit chains cover a massive swath of active iPhone users.

What was once confined to the world of nation-state espionage has now effectively become open-source. As Pete Luban, Field CISO at AttackIQ, noted: "The same access can support intelligence collection one day and financial theft the next." The proliferation of these tools means the threat landscape for everyday iPhone users has fundamentally shifted.

The bottom line is this: keeping your device updated is no longer optional. It is your primary line of defense.

Need Help Securing Your Devices?

Red Key Solutions specializes in helping businesses and individuals stay secure in an evolving threat landscape. If you have questions about DarkSword, need help assessing your organization's mobile security posture, or want to ensure your team's devices are protected, we're here to help.

Is your business's mobile security ready for the next DarkSword? Contact Red Key Solutions today for a free security assessment and protect your team before attackers strike.